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DETAILED ACTION 



1. 



This Office action is in response to the amendment filed on 8/20/08. 



2. 



Claims 1-15, 21-29, 32-34 and 40-43 are pending. 



Response to Arguments 



3. Applicant's arguments with respect to the amended claims have been considered 
but are moot in view of the new ground(s) of rejection. It is noted that Applicant's 
argument that the rejection fails to provide a "rationale as to why one of ordinary skill in 
the art would modify Vairavan using the teachings of Esbensen" (Remarks, pg. 16) is 
inadequate because Esbensen expressly discloses that the modification has the 
advantage of maintaining a dedicated intrusion detection system without decreasing 
network performance. (Esbensen, 2:42-47) 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-7, 12-15, 21-28, 34 and 40-47 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Vairavan US Patent Application Publication No. 20020083344 



(hereinafter Vairavan) in view of Esbensen US 5,796,942 (hereinafter Esbensen), and 
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Martin et al. US 6,772,349. (hereinafter Martin); RFC 2819 and RFC 2021 are 
incorporated herein for properties of Remote Network Monitoring (RMON). 

6. As per claims 1 -3, Vairavan discloses a method of intrusion detection, 
comprising: 

a. receiving at a probe data packets communicating over a first network link; 
converting the received data packets into a format suitable for a second network 
link; wherein the first network link is a WAN link and the second network link is a 
LAN and data packets are communicated over a third network link; (paragraph 
0047: network device has an access interface that couples one or more WANs 
and one or more LANs) 

b. and monitoring, by the probe, the received packets to evaluate network 
performance, (paragraph 0090) 

7. Vairavan does not disclose transmitting, by the probe, over a second network 
link, the packets to an intrusion detection system in communication with the second 
network link. Esbensen discloses an intrusion detection system whereby an 
agent/handler captures packets and transmits the packets over a second network link to 
an intrusion detection system in communication with the second network link. (Abstract; 
fig. 1; fig. 4). This setup has the advantage of maintaining a dedicated intrusion 
detection system without decreasing network performance. (Esbensen, 2:42-47) 
Therefore, it would be obvious to one of ordinary skill in the art at the time the invention 
was made for the method of Vairavan to transmit, by the probe over a second network 
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link, the packets to an intrusion detection system in communication with the second 
network link. One would be motivated to do so to accrue the benefits of a dedicated 
intrusion detection system as taught by Esbensen. 

8. Finally, neither Vairavan nor Esbensen disclose collecting, by the probe, current 
network performance data based on the network performance; updating, by the probe, 
historical network performance information with the current network performance data; 
transmitting, by the probe over the second network link, the updated historical network 
performance information, wherein the updated historical network performance 
information is used by the intrusion detection system to detect an intrusion on the first 
network link. Martin discloses it is well known to situate RMON probes to collect data 
about the activities of network traffic at a network device, whereby the collected data is 
transferred via SNMP to a centralized network management computer. Col. 3:34-46. 
Furthermore, the RMON standard defines a "flow based" monitoring implementation 
whereby probes both collects and processes data collected from a data flow; in 
particular, it defines the step of generating and updating historical data collected from a 
packet flow. See for example, RFC 2819, "historical statistical information", 
"etherHistoryEntry". As known in the art, RMON monitoring implementation reduces the 
amount of data sent to a management application because a substantial portion of the 
processing occurs at the probe. Martin further discloses using the received RMON data 
at a network manager for the purpose of securing a network. Col. 3:46-4:1 1 . 
Therefore, it would be obvious to one of ordinary skilled in the art at the time the 
invention was made to collect, by the probe, current network performance data based 
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on the network performance; updating, by the probe, historical network performance 
information with the current network performance data; transmitting, by the probe over 
the second network link, the updated historical network performance information, 
wherein the updated historical network performance information is used by the intrusion 
detection system to detect an intrusion on the first network link. One would be 
motivated to do so to offload the processing from the central management application to 
the probes, thereby reducing bottlenecks at the management application as known to 
one of ordinary skill in the art. The aforementioned cover the limitations of claims 1 -3. 

9. As per claim 4, the rejections of claims 1 -3 as being unpatentable over Vairavan 
in view of Esbensen and Martin are incorporated herein. Although Vairavan does not 
disclose the step of aggregating the data packets received over the first network and the 
data packets over the third network, wherein the aggregated data packet appears to 
emanate from a single logical source, link aggregation is notoriously well known in the 
art as an inexpensive means to increase link speed beyond a capability of a single port. 
Link aggregation groups physical link segments of the same type and speed to treat 
them as the same logical link, thereby increasing the total bandwidth of the resulting 
logical link segment. Official Notice of this teaching is taken. It would be obvious to one 
of ordinary skill in the art at the time the invention was made to aggregate the data 
packets received over the first network and the data packets over the third network, 
wherein the aggregated data packet appears to emanate from a single logical source. 
One would be motivated to do so for a cost effective means of increasing the bandwidth 
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of a link segment as known to one of ordinary skilled in the art. The aforementioned 
cover the limitations of claim 4. 

1 0. As per claims 5-7, the rejections of claims 1 -3 as being unpatentable over 
Vairavan in view of Esbensen and Martin are incorporated herein. In addition, Vairavan 
further discloses the first network link operates using at least one of HSSI protocol, T1 
protocol, E1 protocol, ATM protocol, Packet-Over Sonet/SDH protocol, Frame-DS3 
protocol, 1G Ethernet protocol, and 10G Ethernet protocol; wherein the first network link 
comprises a protocol that encapsulates data traffic; wherein the protocol comprises at 
least one of MPLS protocol, GMPLS protocol, VLAN (802.1 q) protocol, HSSI protocol, 
T1 protocol, E1 protocol, ATM protocol, Packet-Over Sonet/SDH protocol, Frame-DS3 
protocol, 1G Ethernet protocol, and 10G Ethernet protocol, (paragraph 0047) 

11. As per claims 1 2 and 1 3, the rejections of claims 8-1 0 as being unpatentable 
over Vairavan in view of Esbensen and Martin are incorporated herein. In addition, 
Vairavan further discloses the converting step comprises: storing received packets in a 
collection buffer; stripping header information associated with a protocol of the first 
network link; and adding header information associated with a protocol of the second 
network link; wherein the step of storing comprises storing packets received from at 
least one of the first network and the third network link. (Fig. 1 : inherent in a protocol 
conversion from WAN to LAN) 
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12. As per claim 1 4, the rejections of claims 1 2 and 1 3 as being unpatentable over 
Vairavan in view of Esbensen and Martin are incorporated herein. In addition, the 
stripping step further comprising stripping header and checksum information associated 
with the protocol of the first network link and the adding step further comprising adding 
header and checksum information associated with the protocol of the second network 
link; wherein the step of storing comprises storing packets received from at least one of 
the first network link and a third network link are obvious enhancements because 
different communication protocols utilized different checksum values. 

1 3. As per claim 1 5, the rejections of claims 1 2 and 1 3 as being unpatentable over 
Vairavan in view of Esbensen and Martin are incorporated herein. In addition, the step 
of stripping comprising stripping at least one of a Layer 2 MAC header, an Ethernet 
source address, and an Ethernet destination address is an obvious enhancement 
because Ethernet is conventionally utilized in LAN technology. 

14. As per claims 44 and 45, the rejections of claim 1 as being unpatentable over 
Vairavan in view of Esbensen and Martin are incorporated herein. In addition, the 
historical network performance information comprises historical traffic profile; wherein 
the intrusion detection system uses the historical network performance information as a 
basis for an action. Martin, col. 3:34-4:12. One would be motivated to combine the 
teachings of Vairavan and Esbensen with the teachings of Martin to offload the 
processing from the central management application to the probes, thereby reducing 
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bottlenecks at the management application as known to one of ordinary skill in the art. 
The aforementioned cover the limitations of claims 44 and 45. 

1 5. As per claims 21-28, 34, 46 and 47, the rejections of claims 1 -1 5, 44 and 45 as 
being unpatentable over Vairavan in view of Esbensen and Martin are incorporated 
herein. In addition, Vairavan and Esbensen disclose the first network link comprises a 
protocol that encapsulates data traffic (WAN link). The aforementioned cover the 
limitations of claims 21-28 and 34, 46 and 47. 

16. As per claims 40-43, they are claims corresponding to claims 1 -7, 1 2-1 5, 21-28 
and 34, and they do not teach or define above the information claimed in claims 1-7, 12- 
15, 21-28 and 34. Therefore, claims 40-43 are rejected as being unpatentable over 
Vairavan in view of Esbensen and Martin for the same reasons set forth in the rejections 
of claims 1-7, 12-15, 21-28 and 34. 

17. Claims 8-1 1 , 29, 32 and 33 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Vairavan in view of Esbensen and Martin, and further in view of 
Schneier et al. US 7,159,237 (hereinafter Schneier) 

18. As per claims 8-1 1 , the rejections of claims 1 -3 as being unpatentable over 
Vairavan in view of Esbensen and Martin are incorporated herein. Neither Vairavan nor 
Esbensen disclose the step of maintaining, by the probe, an audit trail buffer for forensic 
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analysis; wherein the audit trail buffer comprises a memory for recording monitored 
packets; wherein the memory records packets from at least one of the first network link 
and the third network link; upon receiving, by the probe, an event notification, 
communicating, by the probe, the current contents of the audit trail buffer. Schneier 
discloses a method for monitoring packet flows via probes/sentries, whereby data 
sensors collect data, filtering subsystems filter the data and an Anomaly engine 
analyzes the data; Anomaly engine determines noteworthy information that may be 
worthy of further analysis and forwards such information to a communications and 
resource coordinator; whereby the coordinator forwards the information to the intrusion 
detection system, (col. 8:35-63) Such a feature enables uninteresting information to be 
discarded at the probe before being analyzed by a central intrusion detection system, 
thereby reducing the amount of information to be processed by the central intrusion 
detection system. (8:45-47) Therefore, it would be obvious to one of ordinary skill in the 
art at the time the invention was made for the invention of Vairavan to further include 
the steps of maintaining, by the probe, an audit trail buffer for forensic analysis; wherein 
the audit trail buffer comprises a memory for recording monitored packets; wherein the 
memory records packets from at least one of the first network link and the third network 
link; upon receiving, by the probe, an event notification, communicating, by the probe, 
the current contents of the audit trail buffer. One would be motivated to do so to reduce 
the amount of information to be processed by the central intrusion detection system as 
known to one of ordinary skill in the art. 
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1 9. As per claims 29, 32 and 33, they are claims corresponding to claims 8-1 1 , and 
they do not teach or define above the information claimed in claims 8-1 1 . Therefore, 
claims 29, 32 and 33 are rejected as being unpatentable over Vairavan in view of 
Esbensen, Martin and Schneier for the same reasons set forth in the rejections of 
claims 8-1 1 . 



Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See M PEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 



Communications Inquiry 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to JUNG KIM whose telephone number is (571)272-3804. 
The examiner can normally be reached on FLEX. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/Jung Kim/ 

Primary Examiner AU 2432 



